Irish Authorities Levy GDPR Fine in Centric Health Breach2019 Ransomware Breach Affected 70,000 Patients, Destroyed Records of 2,500 of Them
Irish authorities have fined a Dublin-based healthcare entity 460,000 euros - about $490,000 - for General Data Protection Regulation violations in the wake of a Calum ransomware attack.
The incident compromised sensitive information of 70,000 of patients of Centric Health Ltd., including the permanent deletion of data for about 2,500 individuals, according to Ireland's Data Protection Commission's decision in January.
The incident affected seven clinics, including 11 general practitioner practices of Primacare Health Professionals CLG - a subsidiary of Centric Health that was acquired in August 2016, the commission says in its report.
Centric, which has about 500 employees, provides primary healthcare general practitioner, plus dental, specialist and occupational services to more than 400,000 patients across Ireland, the report says.
The DPC says it received a data breach notification from Centric on Dec. 5, 2019, concerning a ransomware attack Centric had detected on Dec. 3, 2019. The incident involved encryption of patient data. A ransom demand was paid, and the breach ultimately resulted in unauthorized access and alteration of some personal data as well as permanent deletion of some personal data.
Patient data affected by the incident included names, birthdates, Personal Public Service Number and contact details.
Of the 70,000 patients affected, the breached data included clinical data, "which is special category health data," the report says. "Data on the system was backed up nightly and a snapshot of data was taken each day, but these backups were also affected by the malware."
Data was partially restored from other backups, but some of it was irretrievably deleted, the report says. Backups of patient data between certain dates were unavailable through cloud storage. One server containing the practice management system database "no longer existed," the report says.
Forensic consultants, engaged to assist with the data recovery determined that the personal data of approximately 2,500 patients was permanently deleted.
Ironically, the legacy Primacare systems under the control of Centric Health "were in the process of being phased out when the incident occurred."
Centric subsequently paid an unspecified ransom to the attackers in return for a decryptor key, the report says. "Centric established that the key did not pose any threat, but that … the decryptor could not be applied to the affected data as it had been deleted in the interim."
DPC says that while Centric stated in its initial breach notification that 70,000 data subjects were affected by the breach, it only issued notifications to the 2,500 individuals whose data was irretrievably lost in the incident.
Besides the inadequate breach communication to affected individuals, the fine levied against Centric also reflects a variety of other GDPR infringements, including "failure to implement technical and organizational measures appropriate to the level of risk" posed to personal and special category data on Centric's server.
"The failure to implement the necessary safeguards in an effective manner at the appropriate time led to the possibility of patients' personal data being erroneously disclosed to unauthorized people," the report says.
Centric, in a statement provided to Information Security Media Group, says that at the time of the cyberattack, it immediately informed the DPC and cooperated fully with the investigation.
"We want to assure our patients that we take our responsibility to protect their data and ensure the security of our IT systems very seriously," Centric says. "We are doing everything we can to mitigate against any potential future criminal attack. We continue to invest significantly in our cybersecurity and data protection processes and procedures and are operating in line with international best practice in these areas. "
The enforcement action against Centric illustrates critical considerations for the healthcare industry, whether an entity is governed by GDPR in Europe, HIPAA in the U.S. or health data privacy and security regulations in other global regions, some experts say.
The fine imposed on Centric was based on several factors, "key of which was ensuring appropriate security and good governance," says regulatory attorney Brad Rostolsky of law firm Reed Smith.
"There is a lesson in that for those healthcare companies that do adequately protect data or have well-documented governance processes," he says. "Organizations should conduct risk assessments on a regular or annual basis and ensure that they are doing as much as possible to keep patient data safe from authorized access or destruction," he says.
"Claiming to be a victim of a ransomware attack doesn't cut it if system security was substandard in the first place," Rostolsky says.